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Abstract 

Modifications to a previous proof of the security of EPR-based quan- 
tum key distribution are proposed. This modified version applies to a 
protocol using three conjugate measurement bases rather than two. A 
higher tolerable error rate is obtained for the three-basis protocol. 



1 Introduction 



A modified version of a proof of the security |i] of EPR-based quantum key 
distribution is proposed. Based on the works [^3], this modified version applies 
to a protocol using three conjugate measurement bases rather than two. Only 
modified parts of the proof are presented here. The framework of our study and 
the remaining parts of the proof can be found in M. 



2 The protocol 

We describe the quantum key distribution protocol under consideration. It is 
a variation of the protocol described in [Q using three conjugate measurement 
bases rather than two. In this variation, the source is supposed to emit pairs 
of photons with orthogonal polarisations. As a consequence, Alice's bits and 
Bob's bits are anticorrelated when no error occurs. 

Protocol setup 

Alice and Bob specify: 

• TO, the length (in bits) of the private key to be generated. 

• e, the maximum threshold value for the error rate during the quantum 
transmission (e < 1/4). 

• T, a security constant such that < + r < 1. 

• the security parameter r. It must be large enough so that Alice and 
Bob can find a binary matrix K of size m x r such that any linear 
combination of rows of K that contains at least one row of K has 
weight greater than dx = [j^ +tJ r. Alice and Bob choose one 



1 



such matrix K. Shannon's coding theorem tells that for asymptotic 
values of to, such matrix can be found if r obeys the inequality: 



< 1 
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• An error reconciliation scheme for strings of length s ~ 
as specified in 

• n, the number of pairs of photons to be sent to the legitimate parties. 
A good choice for n is -rrrf — where ts is a small but strictly 

-3 'TS 

positive constant. 
Quantum transmission 

• A source sends a sequence of n photons to Alice and another sequence 
of n photons to Bob. It is assumed that ideally, for each i G {1 . . . n}, 
the source emits a pair of photons in the state: 

_ |0)q|1)o-|1)o|0)o 

and that Alice's i-ih photon is the first photon of this pair, and 
Bob's i-th photon is the second photon of this pair. The kets | 0)o 
and 1 1)0 form an orthonormal basis "0" of the Hilbert space de- 
scribing the polarisation of one photon. The kets | 0) 1 = I 



and I 1)1 = I o)crH ^)» form its first conjugate basis "1". The sec- 

_ I 0)q+»| 1)0 



ond conjugate basis "2" is formed by the kets | 0)2 = and 
|l)2 = zM-iLI)o. 

As in [0 , the source needs not to be trusted and can be under Eve's 
control. The only assumption is that Alice and Bob receive a se- 
quence of n single photon signals on each side. 

• We assume that the measurement devices of Alice and Bob have 
efficiency one. For each i E {1 . . . n}, 

1. Alice picks randomly a basis g {0,1,2} with uniform proba- 
bility distribution. Alice measures her z-th photon in the basis 
fli, obtaining the outcome ai G {0, 1}, corresponding to the state 

I "i)a.- 

2. Similarly, Bob picks randomly and independently of Alice a ba- 
sis bi e {0,1,2} with uniform probability distribution. Bob 
measures his i-th photon in the basis bi, obtaining the outcome 
Pi G {0, 1}, corresponding to the state | Pi)bi- 

Sifting 

Alice and Bob compare publicly their bases a and b. We denote by d the 
vector in {0, 1, 2}" defined by d,; = bi — ai (mod 3) for alH e {1 . . . n}. 
If the number of indexes i € {1 . . .n} such that = bi is greater than 
or equal to s then the sifted set S is the set of the first s such indexes. 
Otherwise the validation test is failed. The bit strings as and ^/3s are the 
sifted keys, where for any vector x S {0, 1}", we denote by the vector 
whose i-th entry is 1 -I- Xi (mod 2) for all i e {1 . . . n}. 
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Error correction 

Alice and Bob perform the error correction on their sifted keys as and -^Ps 
as specified in the protocol setup. The error set E is the set of indexes 
i in S in which an error is found, that is, ~ f3i. The error vector e is 
the vector in {0, 1}* giving the positions of the errors (V? G {1, ... , s}, 
= 1 if and only if = j3i). We denote by e the size of the set E. The 
validation test is passed if e < es, otherwise it is failed. If the validation 
test is passed, then the reconciled set R is the set of the first r indexes 
i € S\E. Therefore \R\ = r and Vi & R, Ui = hi and Ui = ^Pi. Ahce and 
Bob obtain with high probability an identical string of bits € {0, 1}'', 
called the reconciled key. 

Privacy amplification 

The private key is defined as: 

1. K = Kan (mod 2) if the validation test is passed. 

2. an m-bit string k, picked randomly by Alice with uniform probability 
distribution each time the validation test is failed. 

3 Privacy of the protocol 

The privacy of the three-basis protocol is stated and the achievable key-creation 
rate discussed. 

Property 1 The protocol described above offers perfect privacy: for any eaves- 
dropping strategy chosen by a possible eavesdropper, the conditional entropy of 
the private key k given the eavesdropper's view v is bounded from below by: 

H{k\v) > m - 2 (^m + {e{r) + 2^%)) , 

where 

eir) = e-TS^^''. 

The above bound applies for any value of the security parameter r such that 
the matrix K specified in the protocol exists. 

Therefore, for asymptotic values of the security parameter r, a net gain in 
shared private bits can be obtained if: 

i-.(l^)-^M.)>o. 

since sh{e) bits are required for the one-time pad encryption during the error 
reconciliation, as in [Q. 

In comparison, we proved that for the original protocol using two measure- 
ment bases only, a net gain in shared private bits can be obtained if: 

i-/.(^)-^M.)>o. 
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Therefore, the three-basis protocol seems to be more robust than the original 
protocol. However, one must realise that a given threshold value on the error 
rate gives different physical constraints on the quantum channel depending on 
whether two-basis or three-basis protocol is used. Whether the two-basis or 
the three-basis protocol is more robust and efficient depends on the technology 
chosen to implement the transmission and the reception of the quantum signals. 



4 Proof of the privacy 

The proof of the above result is given, ft is mainly identical to the proof proposed 
in for the original protocol. Therefore, only parts that are different from this 
previous proof are detailed. The main difference between the previous proof 



and this proof resides in Section 4.3 



4.1 Notations 

We define the notations used throughout the proof. They are similar to the ones 
used in but the indexes for Bell states have been modified. The notations 
have been adapted to deal with three bases. 

Classical data 

We denote by C = (a, 6, cJ, /3) the classical data Alice and Bob generate 
during the protocol (after the setup) . We denote by P = (a, d, e) the data 
that are publicly announced by Alice and Bob during the protocol. For 
any possible P, we denote by Cp the set of values for the classical data 
that are compatible with the public announcement of P. That is, for a 
given P = {a,d,e), 

Cp ^ {C = (a',6',d',/3') : a' = a, 
\fi, b[~ai-\- di (mod 3) 
Vi £E,a[= (3[ and Vi € \ = ^(3[ 
where S and E are given by d and e.}. 

Given a possible P and a value for the private key /?, we define Cp.g as 
the set of values for the classical data that are compatible with the public 
announcement of P and generation of k for the private key. That is, for a 
given P = (a , d, e) , 

CpM ^ {C - (a', b\ a', /?') : a' = a, 
Vi, 5'j ~ ai + di (mod 3) 
Vi eE,a',= [3[ and S\E, a',= ^I3[ 
Ka'j^ = K (mod 2), 

where S, E and R are given by d and e.}. 

Finally, we denote by V the set of all possible public announcements for 
which the validation test is passed. That is, 

V — {P — (d, d, e) : wo{d) > s and e < es}. 
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We denote by T the subset S\{E(jR), and by t the size of T. 



Bell states 

For each i G {1 . . . n}, we define the Bell basis {| 0)i, | \ 2)i, \ 3)i} of 
the i-th pair of photons as: 

|0)0,»|1)0,^- |1)0,^|0)0,^ 
|0)0.^|1)0.» + |1)0,^|0)0.. 

V2 

|0)o.»|0)o..-|l)o,»|l)o.» 
^/2 

|0)o.»|0)o.. + |l)o.»|l)o.» 
^/2 

where the first and the second state in the product states in the rhs. cor- 
respond to Alice's and Bob's i-th photon's polarisation state, respectively. 

Given a basis a e {0, 1, 2}, we define Xa as the set of indexes of Bell states 
that are compatible with Alice and Bob measuring in the same basis a and 
obtaining opposite bit values (corresponding to a faithful transmission, as 
the source is supposed to emit an antisymmetric state). Likewise, we define 
Ya as the set of indexes of Bell states that are compatible with Alice and 
Bob measuring in basis a and sharing the same bit value (corresponding 
to an error). That is, Xq = {0, 1}, Xi = {0, 2}, X2 = {0, 3}, Yq = {2, 3}, 
Yi = {1,3} and Y2 ~ {li2}. Given the choice of bases a and a set 
A C {l...n}, we define Xa^ as {c^ G {0,1,2,3}-^ : Vi € A, q € XaJ 
and as {ca G {0,1,2,3}"^ : Vi € A, q € Ya-}. Given a reconciled set 
R and the choice of bases a,^ on R, for any Cr G Xa^ , we will denote by 
7 the unique 7 G {0, 1}'" such that for each i G {1, . . . , r}, q = (1 + ai)^i. 

For any vectors x, y ^ {0, 1}'', we define x ■ y as x ■ y ^= X)i=i ^iVi- Given 
R and Oh, for any Cr G ATa^, we have the identity (q^-ri ^Q^-r = 
" — - — 1 where tTq^^ is a vector in {0, 1}'' with its i-th entry 
equal to 1 if and only if = 2. 



|0). = 

|1>. = 

1 2) . = 

1 3) , = 



4.2 Model of measurements 

The mathematical model of measurements on the quantum state generated by 
the source is almost identical to the one described in . 

The state of the n couples of photons and the probe created by Eve reads 

as: 

p = Y^\Es){Es,\®\^{^\, 

where the states | Es) are states of Eve's probe that are possibly nor orthogonal 
nor normalised. The positive operator giving the probability that Alice and Bob 
get C = (a, b,d,l3) as their classical data is: 

Fc = Pa(a)P5(6)| d,/3).g„._g(d,/3 I, 



5 



where Pa(a) = 1/3" and Pg(&) = 1/3" for any choice of a and h. Note that since 
for all i e {1 . . .n}, di = bi — ai (mod 3), we have Pg{a)Pj^{b) ~ Pg{a)P^d) 
where Pj<(i) = 1/3". 

The positive operator giving the probability that Alice and Bob publicly 
announce P = (a, d, e) while they get the private key k is: 

Fp^ft = Pa(a)P^d)%® ^ | Ob, aE)aE,aE aE.ag (as, | 

Qj=;e{oa}= 

(g) ^ I ar, ^aT)aT ,or aT:aT("r,^aT I 
aTe{0,l}' 

® X! \ctRi^Ctii)aii.aRaR,aR{aR,^aR\, 

anelO,!}": 
Kapi—K (mod 2) 

and the positive operator giving the marginal probability that Alice and Bob 
publicly announce P — (a, d, e) is: 

Fp = Ps(d)P^d)l-s'E) ^ \aE,aE)aE,aE aE,aE{<^E,CtE\ 

aE€{0,l}° 

aTG{0,l}' 
ajieiO,!}'- 

Note again that when no error occurs, Alice's bit and Bob's bit are anticor- 
related. 

We denote by Vp the set of views v that are compatible with the pub- 
lic announcement P. The positive operator giving the probability that Eve 
gets the view v given that Alice and Bob announced P will be denoted by 
Gv\p = I Xv\p){Xv\p I, where we assume again without loss of generality that 
the operators Gy\p are of rank one. 

4.3 The role of the vahdation test 

Here a variation of the Property 2 in ||l| is given. It is shown that when three 
bases are used for the validation test, the constraint on the photon state created 
by Eve is more stringent. Given a possible reconciled set R, let Ilji be the 
orthogonal projection operator defined as: 

cG{0,l,2,3}" : 
w{cR)>dK/2 

= E \Cr){Cr\. 

CRe{0,l,2,3Y : 
w(cR)>dK/2 

The following property is then proved. 



6 



Property 2 The eigenvalues of the semi-definite positive Hermitian operator 

Per 

where R is specified by P in the sum, are bounded from above by 

0{r) = e-^^^\ 
Proof The above operator can be written as; 

^^'^ de{0,l}": ee{0,l}'*: ^ " ^ 

WQ{d)>s w{e)<€s 

Now for given d and e, 



where 

= |0)(0| + i|l)(l| + i|2)(2| + i|3)(3|, 

Y, = ^|l)(l| + ^|2)(2| + ^|3)(3| 

are operators acting on i-th photon pair's Hilbert space. The last equahties are 
derived directly from the definition of the Bell states. As a consequence, we 
have, 



\ a / „ ,-rn 1 • 



3™(c-r) / ■ 

CRe{0,l,2,3}: 
w{cR)>dK/2 



Now, given d G {0, 1}", the operator: 

e:w{e)<es \ a / 

is diagonal in the Bell basis | c). Given a vector c G {0, 1, 2, 3}" and an error 
vector e e {0, 1}*, a necessary condition for the scalar: 

to be non zero is that for all ?' G 5, ei = if q = and w{cs) > ^ + e. There 
are ('"^g®'') such vectors t? of weight e, if < e < es and e < w{cs) — dx/'^^- 
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Therefore, 



e:w{e)<€s \ a / 



e / -. \ w{cs) — e 



0<e<es 
e<«;(cs)-ds:/2 



Now, (Ik is either greater or smaller than ^w{cs) (1 + r(l — e)). 



If dK > iw{cs) (1 + r(l - e)), then 



^(^s) ~ ^ < ^■*i'(cs) f 1 — ^'''(l — e) ) and, 



2 3 ' ' V 2 



• iidx < iw{cs) (1 + r(l - e)), then 



er 

es < 



1 - e 

= — Tr 

< ^w{cs)(l-\T{l-e)], 



where we have used r > s(l — e) and s > w{cs). 
We thus derived that: 

(c| J2 nfifj^FpJnHlc) 

e:w(e)<es \ a / 



w{cs)\ f2Y (I 



w{cs) — e 



^ ''^^''^ ^ V e A3 

0<e<|u,(cs)(l-^T(l-e)) 

< p^d:)e-^-'^ 

where we have used the binomial inequality stating that J2o<k<{p-t)n {k)p''(^~ 
p^n-k ^ e~^*^" for any positive integer n and 0<p— t<p<l. In the last 
inequality we have used the inequalities e < 1/4 and w(cg) > d^/'^ when the 
above scalar is non zero. 

Remarking that the operator ^^^^ IIpFpIIp is diagonal in the Bell 

basis for all d and J2d-wo{d)>s ^d(^) — -*■> concludes the proof. □ 
The above property implies that: 



Tr(lEve ® Yl ^rPp'^Rp) < 



Pev 
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where Ievc is the identity operator acting on the Hilbert space of the probe. 
That is, 

CE^Y^E' w{cR)>dK/2 

creXaj. 

4.4 Quasi-independence of the key and the view 

In this section we compute the joint probabihty distribution of the key and the 
view. We prove that this distribution is very close to a product of an uniform 
distribution for the key and the marginal probability distribution of the view. 
This section is identical to the Section 5.4 of the previous proof, except for the 
apparition of few phase factors that do not appear in the final result. 

Property 3 For any given eavesdropping strategy chosen by Eve and returning 
a view v, the probability distribution of the key k and the view v obeys the 
following inequality: 

EE E P^.i^,v)^^P.{v) <2{0{r)+2^r 
PeVveVp ;;g{o,i}" 

where m is the length of the private key and r is the size of the reconciled set. 
Proof For any k £ {0, 1}™, P and v E Vp, we have: 

= Tr(G,|p Fp^f. p) - 2^^Tr(a|p ® Fp p) 



Va{d)P^d) {Ec'\G,\p\Es)5,.df,,,,{^,^'), 



c.c 



CE.c'ESYaj^, 

CT ,Crj.^Xarp , 

where 

- ..-^ C_1 '|aR-(7+7') 1 



KaR—K (mod 2) 



where we have used the identity aR,aa{ctR, ^C(r \cr) — " — - — for 
any Cr G XaR (note that ^7 + ^7' = 7 + 7')- 

Let's define G as the set of all linear combinations over {0, 1} of rows of K. 
It has been proved in [|l| that: 

V f_n"«-(7-+7') = / (-i)«--(^~+^~')2'-" if 7 + f e 5, 
^ ^ ' I if 7 + 7' ^ 5 

aK6{0,l}" : 
KoLR—K. (mod 2) 
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where 9fi is a vector in {0, 1}'' such that KOfi = k (mod 2). We have: 



where Uyf^c-j^ and V^kc-jj are complex vectors of dimension 2'' and A is a 2'' x 2'' 
complex matrix, whose entries are indexed by 7 G {0, l}*". The 7-th entry of 
Uv^c-ir and V^fic-ir are: 



if u)(7) > dK/2. 

if w(7) < dK/2, 

'7 " I (-l)'--^~(-«)*"«-^~(x.|P |i?c) if z«(7) > 
where c is given by c-r and 7. The (7, 7')-th entry of A is, as in [|l[|: 



1 if 7 + f e ^^\{0}, 

if 7 + f ^ e^\{o}. 



This imphes C/^-^AC/^gc-;^ = 0, since ^(7) < dx/^ and ^(7') < dx/^ 

implies that w{j + 7') < d^, that is, 7 + 7' ^ C/ \ {0}. The matrix A is 
diagonalised in the same manner as in [p|, and we obtain: 



ctG{0,1}"\0 



xes 



CTe{o,i}'"\o 

where 5 is a subspace of {0, 1}'' supplement to Q, and for any z E {0, 1}™, 

w(x+y)<(ij</2 
w(x+y)>dK/2 

where for any y G Q, ujff is the unique vector in {0, 1}™ such that K'^uj^ = y 
(mod 2). 

From this one derives the inequality: 

E E E P^.i'i,v)-i^PAv) <2(2"-l)(r, + 2V^y|), 



PeVvGVp Ke{o,i}" 
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where 



Pev 



E E E EEP'^(«)Pd(rfli^ 



We then derive an upper-bound on rj and ^. We have: 

= EPH(a)p,-<d) E EE E E 



Pev 



on'- 



v£Vp xeS 



22m 



u;(x+a)>dK/2 
w{x+y')>dK/2 



x{-^f'^n■v(+^f^n■v'{E,,\x.lp){Xv\p\Es) 

-L ^ Ps(a)P,-<d) E E E E(^Hx.|P>(x.|p|i?c-) 



Pev 



cseY^j: 

creXa. 



w{x+y)>dK/2 



using the result of the previous section. Similarly, 



Consequently, 



^ - 2"! 



EE E 



< 2 



(^?(r)+2V%) 



which concludes our proof. 



□ 



4.5 Bound on the conditional entropy 

As in we conclude the proof of privacy thanks to the following property. 

Property 4 Let x and y be two discrete random variables taking values in the 
sets X and y respectively. Let ^ be a nonnegative real number. Lf the following 
inequality is satisfied: 



E 

xex,yey 



< 
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then the conditional entropy of x given y is lower-bounded by: 



Hix\y)>{l~t,) log2 lA-l - ^/x. 

The proof of this property has been given in . The probabiHty distribution 
of the private key and the view obeys the inequaUty: 



E 



K(E{0,1}" 



<2(0(r) + 2y%y), 



where we have used the fact that the key is randomly chosen by AHce with 
uniform probabihty distribution if the vahdation test is not passed. Applying 
the above property for the random variables k and v, we obtain: 



H{k,\v) > to — 2 m 



1 



0(r) + 2y%) , 



which concludes the proof of privacy. □ 
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